ZeroFOX reports a new type of financial scam involving Bitcoin that’s actively spreading across social networks. We have previously uncovered fraudulent social network campaigns targeting users like bank customers, holiday shoppers and mobile gamers. Whether it’s these victims or Bitcoin owners, if it’s one thing we’ve learned about social network scammers, it’s that they succeed by leeching onto the money-driven hype associated with the latest and greatest hallmarks of popular culture.

Why Bitcoin?

Bitcoins are verified through encrypted transactions, which are eternally recorded on a ledger that’s accessible to anybody. This ostensibly helps wallet-holders hamper the type of fraud, theft and sensitive data compromise that’s marred other modern payment vehicles like credit cards and online money transfer services. But for all its afforded security benefits, this digital gold has introduced a brand new kind of digital criminal ecosystem.

What makes Bitcoin owners such lucrative targets on social media? Ironically, exactly the same thing that makes Bitcoin more secure – its decentralized, anonymous and irreversible nature.

Decentralized: Unlike other currencies, Bitcoin isn’t controlled by any financial institution or government. When fraud is committed in Bitcoin’s name, its lack of a central authority is exactly what makes it impossible to recover any losses. Once a victim is duped, the buck stops there: no bank or credit card issuer can bail them out in this regulatory vacuum.

For these reasons among others, Bitcoin has blossomed into the modern scammer’s preferred method of payment. Social media provides access to a key demographic of digitally connected people who are most interested in getting into the Bitcoin game, but who also lack the specialized expertise necessary to tell a legitimate from an illegitimate offer. Below, we dissect some representative examples of Bitcoin-related social media scams detected by the ZeroFOX Platform, and conclude with high-level statistics highlighting their impact and pervasiveness.

Four Categories of Bitcoin Scam

ZeroFOX identified four main categories of scam, each leveraging a different payload to attack victims and extort Bitcoin.

Fake Bitcoin wallets hiding malware downloads: Attracting users to click through URLs posted to social media is a technique that ZeroFOX has observed in a variety of attacks. This one uses the promise of Bitcoin to lure the user into following a URL that subsequently attempts to download a malware-laden app (Figure 1). We also discovered that fake Bitcoin surveys are often used to distribute malware, and we advise caution when encountering any social media URL that is either shortened or not secured with an HTTPS connection.

A.

B.

C.

Figure 1: A) Twitter users propagate the malicious URL as a way to earn Bitcoin profit. According to VirusTotal vendors, the website is laced with malicious files including B) a credential-stealing Bitcoin miner and C) an executable resembling a Gadoux botnet installer that attempts to connect to a live C&C server.

Bitcoin phishing impersonators:Impersonators run rampant on social media, and impersonating the Bitcoin brand itself is a tactic that can be used to gain a victim’s trust and credibility. This phishing website allegedly offers a search service enticing users to enter in their private Bitcoin key to see if it exists in their database (Figure 2). Once entered, the private key will simply be phished, allowing the scammer to spend directly from the curious Bitcoin owner’s wallet.

A.

B.

Figure 2: A) An impersonator uses the recognizable Bitcoin logo as their Twitter avatar, and posts with click-baity rumors and hashtags to spread phishing URLs to their followers and beyond. B) The URL destination is a phishing webpage that harvests Bitcoin private keys.

Bitcoin-flipping scams: These scams could be an offer to instantly exchange Bitcoins for money after paying an initial startup fee or a promise to double your initial investment overnight (Figure 3). The other end of the bargain is never held-up, and Bitcoins are stolen immediately. We’ve previously reported on money-flipping scams targeting bank customers, which similarly exploit this low-risk tactic that bears fruit for scammers when distributed in high volumes. Scammers succeed because they’re able to broadcast their scam to thousands of unsuspecting targets through social media.

Bitcoin pyramid schemes: These scams are harder to recognize than the more egregious Bitcoin-flipping examples described above, but the end result is the same; the scammer eventually makes off with the victim’s stolen Bitcoins. This tried and tested idea relies upon high yield investment programs and multi-level marketing. In these ethically grey schemes, a low initial investment can be multiplied by signing up additional members using referral links. New members are then encouraged to do the same, rinse and repeat. Before long, hundreds of victims have joined the scheme. At a later point in time, the original scammer walks away and the pyramid collapses. The example in Figure 4 involves fake donations; the irony here is that not only the scammer but also their subsequent victims use social media to spread word of the scheme. Despite all promises, there’s no ROI to be had here.

A.

B.

Figure 4: A) Public YouTube videos market a Bitcoin pyramid scheme to unknowing subscribers and viewers. B) The pyramid scheme website is sophisticated and easy to use – disguising the eventual deception as a legitimate business opportunity.

Another example of Bitcoin pyramid schemes are cloud mining scams. These are even more difficult to disambiguate due to the fact that some are indeed legitimate. In cloud mining, Bitcoin wallet holders join forces to rent souped-up Bitcoin mining computers, which need to be powerful (or lucky) enough to solve the cryptographic hash function algorithms necessary to discover new Bitcoins. But for the most part, these are scams that promise big and deliver little (Figure 5).

A.

B.

Figure 5: A) A Facebook advertisement for a cloud mining service promises guaranteed profit for would-be sign-ups. B) The website is sleekly designed to resemble a tech startup landing page.

The Reach of Bitcoin Scams on Social Media

The above examples illustrate the myriad of ways that Bitcoins can be exploited to scam social media users, but the problem is more systemic than a few anecdotal examples. After observing these types of scams in the wild, we crafted a rule on the ZeroFOX Platform that alerted anytime a new social media post or profile was created resembling an already encountered scam. Once instantiated, the rule instantly began scouring social media and other digital channels for OSINT content containing the scam indicators.

In the days and weeks following the news that a single Bitcoin was worth more than it’s weight in gold, we analyzed data caught by this rule to ascertain how often Bitcoin scams were being spread over social media and beyond. To date, we’ve identified 3,618 Bitcoin scam URLs. We measured how often posts containing these URLs were shared over a three week period in early March, and discovered a total of 516 shares averaging 24.53 shares per day.

But not all Bitcoin scam posts contained URLs to known scam websites. Some asked for direct contact via DM or phone, some posted URLs we had not yet discovered (but have added since), and some directed post viewers towards URLs contained within their bios or superimposed over an attached image. These were much more numerous, totaling 8,742 posts for an average of about 416 posts per day over the same period of time. Scammers had unique profiles over 68% of the time.

Historically, all curated Bitcoin scam URLs were shared a staggering 126,276,549 times within social media posts. This number was skewed upward by two specific URLs that’ve been shared over 40m times and two others that were shared over 10m times. Excluding these outliers, the Bitcoin scams were shared an average of 5,367 times all-time per URL. The virality of these scams confirms their Ponzi end goals, which are reinforced by the amplifying nature of social networks.

Recommendations

ZeroFOX recommends the following:

Don’t trust anyone claiming they will give you or help you mine Bitcoin. Again, cryptocurrency is valued by cybercriminals for a reason, and nefarious behavior related to Bitcoin runs rampant on social media and digital channels.

By studying the tactics employed by Bitcoin scammers, and in conjunction with this blogpost, ZeroFOX Research is releasing a new FoxThreat rule in the ZeroFOX Platform that automatically alerts our customers to these types of scams in real-time. Like Bitcoin’s market price, social media scams are volatile, rapidly changing from one day to the next. ZeroFOX Research is committed to uncovering malicious campaigns that weaponize social media and other digital channels, and to protecting against subsequent adversarial drift. Our goal is to raise security awareness and to share intelligence around new risks that businesses, their employees and their customers can expect to combat as the adversary continues to evolve. Find out about ZeroFOX’s automated technology at zerofox.com/platform.